Modify

Opened 3 years ago

Closed 3 years ago

#8301 closed defect (fixed)

Attachment policy implementation prevents other plugins from functioning correctly

Reported by: octo Owned by: Blackhex
Priority: normal Component: DiscussionPlugin
Severity: major Keywords:
Cc: Trac Release: 0.11

Description

The ILegacyAttachmentPolicyDelegate implementation in api.py does not check the resource realm prior to doing its permission check. If this permission check fails, it has the side effect of preventing permission checks in other modules from even functioning at all. On my system, the side effect was that FullBlogPlugin was unable to display attachments for anonymous users (and disabling the DiscussionPlugin magically fixed it).

The current code is written as follows:

def check_attachment_permission(self, action, username, resource, perm):
    return perm.has_permission('DISCUSSION_ATTACH')

It should instead look something like this:

def check_attachment_permission(self, action, username, resource, perm):
    if resource.parent.realm == 'discussion':
        return perm.has_permission('DISCUSSION_ATTACH')

Attachments (0)

Change History (2)

comment:1 Changed 3 years ago by Blackhex

  • Status changed from new to assigned

Thank you for reporting. I have fixed it now but it will appear in the next commit that will bring some other functionality.

comment:2 Changed 3 years ago by Blackhex

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in r9715.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from Blackhex. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.